Navigating the Potential Windows XP Apocalypse

To upgrade, or not to upgrade? It’s a question that each organization must grapple with. Yet, not all environments lend themselves to a move away from Windows XP. Wendy M. Grossman surveys the peril.

Thirteen years ago, in 2001, AOL and Time-Warner merged, marking the peak of the dot-com boom and sparking the dot-com bust. Wikipedia and the iPod hit the market. People bought ‘candy bar’ feature phones. New computers had Pentium chips. And, in October of that year, Microsoft released Windows XP.

That was then, and this is now. Microsoft officially ended support for most versions of XP on April 8, 2014. There was a brief moment of reprieve when, on May 1, Microsoft included the aging operating system in the patch for a newly found zero-day vulnerability in Internet Explorer version 6 and above. But no more, the company said at the time. The exceptions are the several versions of embedded Windows XP, such as those for ATMs and point-of-sale systems; they will be supported until 2016 for ATMs, and through 2019 for POS systems.

Qualys estimated in April that although the number of XP systems is steadily dropping, 13% of its scans still found Windows XP in use as of the first quarter of 2014. Reports from other sources vary.

Sergio Galindo, general manager of the infrastructure business unit for GFI Software and former head of IT at a large financial services company, says he's seeing closer to 20%. Karl Sigler, manager of SpiderLabs Threat Intelligence at Trustwave, predicts it may even be as high as 25%. Lamar Bailey, the leader of the Vulnerability and Exposures Research Team for Tripwire, says his large-organization customers report closer to 10%. Whatever the percentage, it's clearly substantial.

Sigler isn't particularly sympathetic. "[XP] is getting creakier and older, and it's going to be obvious that it's not working relatively soon", he says.

Resisting Change

The reasons for not upgrading vary. In smaller businesses, Galindo says, "they don't see the benefits, only the cost." Larger businesses see the risk in staying, but, "many still have applications running on XP."

Often, Bailey observes, these are applications that can't be upgraded: the original vendor has not issued an updated version or has gone out of business; the specialist software's coders are no longer available and no one else understands the code; the cost of updating is wildly disproportionate; or the source code is lost. Or, as Fred Touchette, a senior security analyst at AppRiver says, in some cases – such as expensive medical equipment – trying to update the underlying operating system may break the proprietary software that runs it.

"I still see Windows NT in environments sometimes", Bailey notes. Occasionally, adds Guillaume Lovet, manager of threat response EMEA for Fortinet, the cost and hassle of replacing the underlying hardware also figure into the decision. Plus, while every customer sees the effort involved in learning a new interface, many don't see the better security built in under the hood.

"Exploiting Windows 7 is a hell of a lot more difficult than exploiting XP."Guillaume Lovet, manager of threat response EMEA for Fortinet

Something like the expense argument applies to the 95% of ATMs that still run XP. Support for their version will continue until April 2016, but even so, sending someone to each individual ATM to update its software and – probably – hardware, is labor-intensive. In the US, the move to adopt anti-fraud chip and PIN, already a decade old in Europe, might be an opportunity.

"A lot of companies are already in the process of upgrading point-of-sale systems and ATMs for chip and PIN", says Sigler. However: "They have this whole plan in place with budget and finances and they're ready to go – but they never put in place, in seven years, a plan to upgrade the operating systems. The two projects really weren't merged. It's really indicative of the type of priorities that organizations set."

The Bigger Picture

Ruth Anderson, a senior manager in KPMG's cybersecurity team, takes a broader view. "End-of-life and end-of-support is not just about XP, but about how companies do this more broadly and manage the risks they face as a result", she says. However, organizations should view the decision about whether and how to upgrade as part of a broader vulnerability assessment. 

"Companies should absolutely be looking at where their end-of-life software is, including XP. If they're not going to upgrade, then they have to decide what they're going to do, but they should look at it in the context of all the vulnerabilities they face as an organization."Ruth Anderson, senior manager in KPMG's cybersecurity team

Assessing that risk isn't easy. The obvious first question is whether the system in question is connected to the internet or is easily accessible from other parts of the network. Galindo says that most companies are smart enough to have isolated those systems to lessen the chances of a successful attack (see box).

What seems certain is that the risk will increase as known but unpatched vulnerabilities pile up. Many believe the coming months will see attacks based on Windows XP vulnerabilities that have been found and saved up over the last six or more months, awaiting the end of support. Another possibility, suggested by Galindo, is that attackers will reverse-engineer upcoming patches for Windows 7 and 8 to deduce where there may be similar holes in XP.

An equally important question surrounds the threat model. It's one thing if the asset being protected is revocable information such as credit card numbers; worse if the asset is more sensitive and permanent, such as medical and financial records, that cannot be recalled once it has escaped.

Finally, it's important to assess the assets that the continued use of Windows XP puts at risk.

Stationary Risks

For Tim Keanini, CTO of Lancope, the constancy and speed of change are risk factors. "The internet has caused an evolution in information systems to change faster, and anybody who can't change is going to be fragile in this dynamic world."

This is one reason that Matt Palmer, chair of the Channel Islands Security Forum, believes the entire software industry may have to rethink its approach.

"Very few organizations, small or large, can afford to turn over their entire software estate on a three-to-five-year basis", he says. Y2K upgrades were the result of programmers’ basing coding decisions on the assumption that their software would not still be in use 50 years later. "There is this assumption that software is temporary – and it really isn't temporary”, Palmer reflects. Even in his relatively short career so far (he entered the industry at the turn of the 21st Century), Palmer has come across companies running software written in the 1980s. 

"Nobody really expected that stuff to be in use today, but it is. It's foolish to think that the stuff we're writing now will be obsolescent in a few years' time."Matt Palmer, chair of the Channel Islands Security Forum

This will especially apply to the developing Internet of Things: people will expect software to last as long as the expensive items they're used to replacing only a few times during their lives, such as refrigerators, cars, high-end medical equipment, and the industrial control systems they are embedded in. "If something is doing the job it's meant to do, you don't want to have to throw it away”, he adds. Many software companies have benefited handsomely from software that needs regular replacement. But, as Palmer says, "from the customer's point of view, the last thing I want is everything written for me every few years, but we are very bad at writing software that hands over seamlessly to its successor."

While not going quite as far as Palmer, Tripwire's Lamar Bailey at least partially agrees. "There needs to be an easier way to migrate cost-effectively", he asserts. "If we can make it so the test cycle is not so long and updates can be rolled out easier, then we won't get stuck in this place anymore."

That's a hope for the future. For the present, says Fred Touchette: "The best advice is to upgrade immediately."

The View From Microsoft

Tim Rains, director of Microsoft’s Trustworthy Computing Group, recently gave his company’s take on Windows XP end-of-life and the associated security risks. To read his opinions and recommendations, visit:      

Managing Legacy Systems

As previously noted, in some situations, organizations have little choice but to continue running Windows XP. In these cases, limit the attack vectors as much as possible. Treat such machines as a high-risk presence on your network, and ring-fence them as much as you can. Here is a list of some of the finer points as outlined by the experts we consulted:

  • Don't use Windows XP machines for email or web surfing, says Sergio Galindo; keep it away from virus-laden websites, rogue links, and other dangers.
  • Isolate them on a separate network and protect them with a firewall and as many security controls as you can, says Lamar Bailey.
  • If you can keep the box disconnected from the internet, your chances for safety go way up, notes Guillaume Lovet. Fred Touchette adds that this is doubly true if you can lock it down so the box only sends information but doesn't receive it, as might be possible with some medical equipment, for example.
  • Shut down unnecessary functions to shrink the attack surface, says Karl Sigler, and pentest regularly.
  • Make sure you know exactly where your end-of-life software is and that you thoroughly understand both the risk you're taking and the protections you have in place in the context of all the vulnerabilities the organization faces, says Ruth Anderson.
  • Ensure you are able to spot attacks as soon as they arise; today's attackers can be highly patient and persistent, hiding out in the network for months or even years, says Tim Keanini.
  • Bear in mind that attackers will be studying your network looking for the easiest points of entry and locations where they can hide out, awaiting their chance to escalate the attack. Windows XP will be high up on the list of vulnerabilities they're looking for – and, as Galindo warns, "You can only be as secure as that weakest link."

What’s Hot on Infosecurity Magazine?